2. Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster and to keep Purity Of
Essence
Sergey Gordeychik Gleb Gritsai Denis Baranov
Roman Ilin Ilya Karpov Sergey Bobrov
Artem Chaykin Yuriy Dyachenko Sergey Drozdov
Dmitry Efanov Yuri Goltsev Vladimir Kochetkov
Andrey Medov Sergey Scherbel Timur Yunusov
Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin
Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin
Roman Ilin Alexander Tlyapov Evgeny Ermakov
Alexey Osipov Kirill Nesterov
6. .. communication network protocols used for process or industrial
automation, building automation, substation automation,
automatic meter reading and vehicle automation applications…
(c) wiki
http://en.wikipedia.org/wiki/List_of_automation_protocols
39. --snip--
Comment to PT-SOL-2014001:
The upload path has been changed. It is still possible to upload files, but they can't
overwrite system critical parts any more.
Comment to PT-SOL-2014002:
The system backup is created in a randomly chosen path an deleted afterwards.
Therefore an unauthorized access is made much more difficult and very unlikely.
Second comment to PT-SOL-2014002:
In order to compensate the weak encryption in the configuration file, the whole
configuration file is now encrypted via the new HTTP transmission.
--snip--
64. Trust in input data: this time it is Content-length
Mix up of size for memory allocation and size for copy
65. Controlling size of allocated memory
Size of overflowed buffer is limited – 0x19000 (with default
settings)
Single thread
Some no ASLR modules – enough to build ROP
Demo
72. 3e6cd1f7bdf743cac6dcba708c21994f - MD5 of ? (16 bytes)
d37fa1c3 - CONST (4 bytes)
0001 - user logout counter (2 bytes)
0001 - counter of issued cookies for this user (2 bytes)
00028ad7 - value that doesn’t matter (4 bytes)
0a00aac8 - user IP address (10.0.170.200) (4 bytes)
00000000000000008ad72143 - value that doesn’t matter (12 bytes)
So, what about 3e6cd1f7bdf743cac6dcba708c21994f ???
74. SECRET is generates after PLC start by PRNG.
PRNG is a little bit harder than standard C PRNG.
SEED in {0x0000 , 0xFFFF}
It’s too much for bruteforce (PLC so tender >_<)
75.
76. What about SEED ?
SEED very often depends on time value
SEED = PLC START TIME + 320
320 by practical way: secret generates after ~ 3-4 seconds of PLC
start using current time
How to obtain PLC START TIME ?
77. PLC START TIME = CURRENT TIME – UPTIME
Current time
Uptime
78. To generate cookie we should brute:
Logout number (2 bytes, max 65535)
Number of issued cookies (2 bytes, max 65535)
Seed value (2 bytes, but max 100)
Still too many values to bruteforce …
79. But if user (admin) not logged out properly then after 7 logins it is
not possible to login again
We should restart PLC or wait 30 minutes (cookie expire time)
80. We can minimize logout and issued cookies counters to 7.
To generate cookie we should brute:
Logout number (2 bytes, max 7)
Number of issued cookies (2 bytes, max 7)
Seed value (2 bytes, but max 100)
81.
82. Exploitation dependences:
>= 1 success logins to PLC after last restart
SNMP enabled and known read community string (but by
default its “public” )
BUT IT DOES NOT NEED LOGIN AND PASSWORD !!!
83. CVE Timeline:
End of July 2013 – vulnerability discovered
5 August 2013 – vendor notified
20 March 2014 – patch released, first public advisory
84. <13.01.2013
In S7 PLC private/public community string for SNMP protocol can't be changed …
>06.02.2013
… you cannot change the SNMP community string … This issue has no effect on security, as only non-
sensitive information can be changed via SNMP. … community strings changeable in TIA Portal v12.5.
>05.08.2013
… vulnerabilities related to S7 1500 and S7 1200 PLC in attached file … including hardcoded SNMP.
<22.10.2013
Hardcoded SNMP strings are in fact an issue …
We might eventually migrate to SNMPv3 …
85.
86.
87. PROFINET Discovery and basic Configuration Protocol (PN-DCP)
The Discovery and Basic Configuration Protocol DCP is a protocol definition
within the PROFINET context. It is a Data Link Layer based protocol to
configure station names and IP addresses. It is restricted to one subnet and
mainly used in small and medium applications without an installed DHCP
server.
System of A Down- Attack: http://bit.ly/LRDkhX
90. “An attacker could could cause to go to into defect mode
if specially crafted PROFINET packets are sent to the
device. A cold restart is required to recover the system”
What is “specially crafted profinet
packets” ???
Just “set” request: set network ip, mask and
gateway to all zeroes 0.0.0.0
95. An additional cyber security layer to
Experion's™ High Security Network
Architecture, the Experion™ Control
Firewall, further protects the controller
network against message flooding and
denial of service attacks.
Max Richter - Last Days: http://bit.ly/1jsCnvE
98. Hot keys
“Open”, “Save”, “Import”/”Export”
Help (MS HLP)
Go-go hcp::
URI
Windows
File:, Shell:, Telnet:, LDAP:
Applications
Quicktime:, Skype:, Play:
IE Image toolbar
iKAT
List of URI handlers
Filesystem functions
99.
100.
101.
102.
103. ― Sensors and actuators are gateways to industrial
networks
• http://files.pepperl-fuchs.com/selector_files/navi/productInfo/doct/tdoct1933b_eng.pdf
108. More than 40 various binar vulnerabilities
(from previous PHDays)
Half of them are easy exploitable stack based
buffer overflows
Guess what, also no modern security (ASLR, DEP,
…)
Vulnerabilities are typical for 90s
109. No input validation
read is interface for recv()
116. How to load 100% CPU of critical energetic’s SCADA system
and drop all connections?
May be common routine:
select() … recv() … do_something()
Common routine will do!
117. Use MSG_PEEK
Wait for no less than
16 bytes
Don’t accept anything
smaller
Because
the bigger - the better
After all threads gone
ignore everything else
118.
119. Regex
# grep recv <decompiled bin function>
ret = recv(s, buf, buf_len, flags)
# grep ‘buf|buf_len’ <decompiled bin function>
ret = recv(s, buf2, buf[42], flags)
This not supposed to work in real world!
126. Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster and to keep Purity Of
Essence
Sergey Gordeychik Gleb Gritsai Denis Baranov
Roman Ilin Ilya Karpov Sergey Bobrov
Artem Chaykin Yuriy Dyachenko Sergey Drozdov
Dmitry Efanov Yuri Goltsev Vladimir Kochetkov
Andrey Medov Sergey Scherbel Timur Yunusov
Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin
Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin
Roman Ilin Alexander Tlyapov Evgeny Ermakov
Alexey Osipov Kirill Nesterov
Operator or other low privileged access
Able to send messages only to HMI and not allowed to talk to PLC
CEИспользованиеRN
Аэропорты Zurich, Geneve
25 электростанций
RAG - подземное хранилище газа
Другие “WinCC Open Architecture – больше чем SCADA”
Пишем свой веб сервер
???
PROFIT
however the impact is only minor since no relevant data can be written or read.
Изображены ТЭЦ, но данное верно и для ГЭС, электросетей и даже отчасти для НПЗ
Телеметрия промышленных процессов
Объединенная корпоративная сеть
Домен corp.tecX.energycompany.ru
MES/ERP системы
Интеграторы
Поддержка, внедрение
Администраторы
Аутсорс
Интернет
Скорее всего выделенные сети
Большие сети
Корпоративные ресурсы
Порталы, почта, документооборот, удаленный доступ к приложениям, административный доступ, сервисные приложения, обратная связь …
Наружная защита, исключающая вероятность дистанционных атак и вывода SCADA системы из строя.
Внутренние защищённые соты, обеспечивающие нормальное и независимое функционирование каждого элемента АСУ при постоянной связи с остальными модулями системы SCADA.